Krebs on Security

In-depth security news and investigation

Posts Tagged: FixIt

Microsoft today deviated from its usual monthly patch cycle in issuing an emergency security update to fix a critical security hole in its Internet Explorer Web browser that attackers have been exploiting to break into Windows PCs.

The update, MS13-008, addresses a single vulnerability in IE versions 6 through 8, and is available through Windows Update. The patch comes a little more than two weeks after security firms began seeing evidence that hackers were leveraging the vulnerability in targeted attacks. Microsoft maintains that it has seen only a limited number of attacks against the flaw, but acknowledged in a blog post that “the potential exists that more customers could be affected.”

Prior to today, Microsoft released a stopgap Fix It tool to help blunt attacks against the IE flaw. According to Microsoft, “if you previously applied the Fix it offered through the advisory, you do not need to uninstall it before applying the security update released today. However, the Fix it is no longer needed after the security update is installed, so we are recommending that you uninstall it after you have applied the update to your system.” Users who applied the Fix It solution can uninstall it by clicking the Fix It icon under the words “Disable MSHTML shim workaround” at this page.

Adobe and Microsoft today separately issued updates to fix critical security vulnerabilities in their products. Adobe pushed out fixes for security issues in Acrobat, Adobe Reader and its Flash Player plugin. Microsoft released seven patches addressing at least a dozen security holes in Windows and other software, although it failed to issue an official patch for a dangerous flaw in its Internet Explorer Web browser that attackers are now actively exploiting.

Two of the patches that Microsoft issued today earned a “critical” rating, signifying that these vulnerabilities could be exploited to fully compromise vulnerable Windows systems without any help from users. Microsoft called special attention to two critical bugs in its XML Core Services component; the company said it is likely that malware or miscreants will figure out a way to exploit these flaws in active attacks sometime within the next 30 days.

Unfortunately, Microsoft did not offer an official fix for a critical Windows flaw that malware and miscreants are already exploiting. In late December, Microsoft acknowledged that attackers were using a previously undocumented security hole in Internet Explorer versions 6 through 8 to break into Windows PCs. Microsoft later issued a stopgap “FixIt” tool to help lessen the vulnerability on affected systems, but researchers last week demonstrated that the FixIt tool only blocked some methods of attacking the flaw, leaving other ways unguarded. Meanwhile, a working copy of the exploit has been folded into Metasploit, a free penetration testing tool.

“Microsoft is not providing a patch today, though they have provided a Fix-It for the issue,” Kandek wrote in a blog post. “The vulnerability should be tracked closely, as a large percentage of enterprises still run the affected versions.”

Users who wish to continue browsing the Web with IE should upgrade to IE9 if possible (IE10 on Windows 8 also is not vulnerable). Users still on Windows XP will not be able to update to IE9, but may be able to derive some protection from the FixIt tool and by using Microsoft’s EMET tool. XP users may be better off, however, browsing with Firefox or Chrome with some type of script blocking and/or sandbox in place. More information on how to use EMET and script blocking options is available in my Tools for a Safer PC primer. More details about today’s updates from Microsoft can be found at the Microsoft Security Response Center blog and in the security bulletin summaries for each patch.

The Adobe Flash patch fixes at least one critical vulnerability in the media player plugin. Updates are available for all supported versions of Flash, including for Windows, Mac, Linux and Android. See the chart below for the latest version number broken down by operating system.

Microsoft today released updates to plug at least 26 separate security holes in its Windows operating systems and related software. At the same time, Microsoft has issued a stopgap fix for a newly-discovered flaw that attackers are actively exploiting.

The security fixes are included in seven security patch bundles, three of which earned Microsoft’s most dire “critical” label, signifying that attackers can exploit them without any help on the part of the user. Redmond patched vulnerabilities in Windows, Internet Explorer, Dynamics AX, Microsoft Lync (Microsoft’s enterprise instant message software), and the Microsoft .NET Framework.

Microsoft called out two patches as particularly important: the Internet Explorer bundle (MS12-037), which addresses 13 issues; and a critical flaw in the Windows remote desktop protocol (RDP). Updates are available for all supported versions of Windows, via Windows Update or Automatic Update. Continue reading →

Microsoft has released an advisory and a stopgap fix for the zero-day vulnerability exploited by the “Duqu” Trojan, a highly targeted malware strain that some security experts say could be the most important cyber espionage threat since Stuxnet.

According to the advisory, the critical vulnerability resides in most supported versions of Windows, including Windows XP, Vista and Windows 7. The problem stems from the way Windows parses certain font types. Microsoft says it is aware of targeted attacks exploiting this flaw, but that it believes few users have been affected.

Nevertheless, the flaw is a dangerous one. Microsoft said that an attacker who successfully exploited this vulnerability could run arbitrary code, install programs; view, change, or delete data; or create new accounts with full user rights. The most likely vehicle for the exploit is a poisoned email attachment.

Microsoft is working on developing an official security update to fix the flaw. For now, it has released a point-and-click Fixit tool that allows Windows users to disable the vulnerable component. Enabling this tweak may cause fonts in some applications to display improperly. If you experience problems after applying the Fixit solution, you can always undo it by clicking “disable” image in the Microsoft advisory and following the prompts.

Update, Nov. 10, 9:22 a.m. ET: As several readers have noted, installing this FixIt may cause Windows Update to repeatedly ask prompt you to install two particular updates: KB972270, and KB982132. Uninstalling the FixIt seems to stop these incessant prompts, although it leaves the vulnerable Windows component exposed.

Adobe warned today attackers are exploiting a previously unknown security flaw in all supported versions of its Flash Player software. The company said the same vulnerability exists in Adobe Reader and Acrobat, but that it hasn’t yet seen attacks targeting the flaw in those programs.

In an advisory released today, Adobe said malicious hackers were exploiting a critical security hole in Flash (up to and including the latest version of Flash. The software maker warned the vulnerability also exists in Adobe Flash player 10.2.152.33 and earlier versions for Windows, Mac, Linux and Solaris operating systems (10.2.154.13 and earlier for Chrome users), Flash Player 101.106.16 and earlier for Android. In addition, Adobe believes the bug lives in the “authplay.dll” component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Mac systems.

Adobe warns that the security hole is currently being exploited via Flash (.swf) files embedded in a Microsoft Excel document delivered as an email attachment. Why someone would need to embed a Flash file in an Excel document is anyone’s guess.

Microsoft has released a point-and-click tool to help protect Windows users from a broad category of security threats that stem from a mix of insecure default behaviors in Windows and poorly written third-party applications.

My explanation of the reason that this is a big deal may seem a bit geeky and esoteric, but it’s a good idea for people to have a basic understanding of the threat because a number of examples of how to exploit the situation have already been posted online. Readers who’d prefer to skip the diagnosis and go straight to the treatment can click here.

DLL Hijacking

Windows relies heavily on powerful chunks of computer code called “dynamic link libraries” or DLLs. Each of these DLLs performs a specific set of commonly-used functions, and they are designed so that Windows can share these functions with other third-party programs that may want to invoke them for their own purposes. Many third-party apps will load these DLLs or bring their own when they first start up and often while they’re already running.

Typically, DLLs are stored in key places, such as the Windows System (or System32) directory, or in the directory from which the application was loaded. Ideally, applications will let Windows know where to find the DLLs they need, but many do not.

The potential for trouble starts when an application requests a specific DLL that doesn’t exist on the system. At that point, Windows sets off searching for it — looking in the above-mentioned key places first. But eventually, if Windows doesn’t find the DLL there or in a couple of other places, it will look in the user’s current directory, which could be the Windows Desktop, a removable device such as a USB key, or a folder shared on a local or remote network.

And while an attacker may not have permission to write files to the Windows system or program directories, he may be able to supply his own malicious DLL from a local or remote file directory, according to the U.S. Computer Emergency Readiness Team.

Several months ago, experts from a Slovenian security firm warned that hundreds of third-party applications were vulnerable to remote attacks that could trick those apps into loading and running malicious DLLs. According to the Exploit Database — which has been tracking confirmed reports of applications that are vulnerable to this attack — vulnerable apps include Windows Live Mail, Windows Movie Maker, Microsoft Office Powerpoint 2007, Skype, Opera, Medialplayer Classic and uTorrent, to name just a few.

Roughly one week ago, Microsoft released a workaround tool to help users and system administrators blunt the threat from all of this by blocking insecure DLLs from loading from remote and local file sharing locations. But the tool wasn’t exactly made for home users: After you installed and rebooted, you still had to manually set a key in the Windows registry, an operation that can cause serious problems for Windows if done imprecisely.

On Tuesday, Microsoft simplified things a tiny bit, by releasing one of its “FixIt” tools to make that registry fix so users don’t have to monkey around in there. Trouble is, you still need to have installed the initial workaround tool before you can install this point-and-click FixIt tool.

It’s tough to gauge whether DLL hijacking poses the same threat to home users that it does to users on larger enterprise networks. Microsoft maintains that this class of vulnerability does not enable a “driveby” or “browse-and-get-owned” zero-click attack, but the attack scenarios Redmond describes where a Windows user could get owned by this attack probably would work against a majority of average Windows users.

And while it may take some time for developers of vulnerable third-party apps to fix their code, Microsoft’s interim fix does add a measure of protection. If you’d like to take advantage of that protection, visit this link, scroll down to the Update Information tab, and click the package that matches your version of Windows. Install the fix and reboot Windows. Then visit this link, and click the FixIt icon in the center of the page and follow the installation prompts.

Microsoft today released an emergency security update to fix a critical flaw present in all supported versions of Windows. The patch comes as virus writers are starting to ramp up attacks that leverage the vulnerability.

There are a couple of things you should know before installing this update. If you took advantage of the “FixIt” tool that Microsoft shipped last month to blunt the threat from this flaw, you should take a moment now to undo that fix. To do that, visit this link, then click the image below the “Disable Workaround” heading, and follow the prompts. You will need to reboot the system before installing the official fix released today, which is available from Windows Update.

The patch issued today carries the Microsoft Knowledge Base (KB) number KB2286198, in case you’ve just run Windows Update and are checking to see whether this update is available to you yet.

You will need to reboot after installing the patch. After I applied this patch and rebooted the system, Windows Explorer stalled, leaving Windows unresponsive. After a forced restart (powering the system off and then on again), my 64-bit Windows 7 system booted into Windows normally.

When this vulnerability was initially disclosed, it was only being used in targeted attacks online. However, as Microsoft warned and others have confirmed, this vulnerability is now showing up in more mainstream attacks. Please take a moment to apply this update today if you can, particularly if your Windows system is not already protected with the FixIt tool mentioned above.

More information on this update is available from the Microsoft bulletin. And as always, please leave a comment below if you experience any problems installing this update.

Microsoft has released a stopgap fix to help Windows users protect themselves against threats that may try to target a newly discovered, critical security hole that is present in every supported version of Windows.

Last week, KrebsOnSecurity.com reported that security researchers in Belarus had found a sophisticated strain of malware that was exploiting a previously unknown flaw in the way Windows handles shortcut files. Experts determined that the malware exploiting the vulnerability was being used to attack computers that interact with networks responsible for controlling the operations of large, distributed and very sensitive systems, such as manufacturing and power plants.

When Microsoft initially released an advisory acknowledging the security hole last week, it said customers could disable the vulnerable component by editing the Windows registry. Trouble is, editing the registry can be a dicey affair for those less experienced working under the hood in Windows because one errant change can cause system-wide problems.

But in an updated advisory posted Tuesday evening, Microsoft added instructions for using a much simpler, point-and-click “FixIt” tool to disable the flawed Windows features. That tool, available from this link, allows Windows users to nix the vulnerable component by clicking the “FixIt” icon, following the prompts, and then rebooting the system.

Be advised, however, that making this change could make it significantly more difficult for regular users to navigate their computer and desktop, as it removes the graphical representation of icons on the Task bar and Start menu bar and replaces them with plain, white icons.

For instance, most Windows users are familiar with these icons:

According to Microsoft, after applying this fix, those icons will be replaced with nondescript (and frankly ugly) placeholders that look like this:

Microsoft is warning that hackers have ramped up attacks against an unpatched, critical security hole in computers powered by Windows XP and Server 2003 operating systems. The software giant says it is working on an official patch to fix the flaw, but in the meantime it is urging users to apply an interim workaround to disable the vulnerable component.

Redmond first warned of limited attacks against the vulnerability in mid-June, not long after a Google researcher disclosed the details of a flaw in the Microsoft Help & Support Center that can be used to remotely compromise affected systems. Last week, Microsoft said the pace of attacks against Windows users had picked up, and that more than 10,000 distinct computers have reported seeing this attack at least one time.

If you run either Windows XP or Server 2003, I’d encourage you to consider running Microsoft’s stopgap “FixIt” tool to disable the vulnerable Help Center component. To do this, click this link, then click the “FixIt” button in the middle of the page under the “enable this fix” heading. Should you need to re-enable the component for any reason, click the other FixIt icon. Users who apply this fix don’t need to undo it before applying the official patch once it becomes available, which at this rate probably will be on Tuesday, July 13.